Apple’s operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI.

Cupertino’s OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National Vulnerability database statistics show.

Apple also has the most high-risk holes with 64 reported in OS X, and is just nudged out by Linux in the medium-severity stakes which clocked 74 flaws to iOS’ 72.

Windows platforms were far behind with 68 total reported bugs and 20 medium-severity flaws reported. Surveyed Windows releases included Windows 8, 8.1, 7, Vista, and RT, along with Server 2012 and 2008. All had between 30 and 38 vulnerabilities.

Crucially, up to 80 percent of the reported bugs concerned third party applications, and only 13 percent related to the operating systems in question.

US director of National Intelligence James Clapper has accused Iran of orchestrating a 2014 hack of the Las Vegas Sands casino. The attack crippled the magnificent cultural institution’s IT infrastructure.

Clapper told a US Senate Armed Services Committee Thursday (US time) that the hack of the US$14 billion casino was the handiwork of Iran rather than ordinary hacking groups, Bloomberg reports.

“While both of these nations (Iran and North Korea) have lesser technical capabilities in comparison to Russia and China, these destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable cyber-actors,” Clapper says.

The attacks brought down the casino’s IT systems including email but not the most valuable components of the organisation.

The gambling giant said at the time that punters’ credit card details were safe.

Las Vegas Sands appears to have been targeted due to the casino chief executive office Sheldon Adelson’s public support of Israel, according to Bloomberg.

The alleged Iranian hackers commandeered the website emblazoning it with a shoddy slapdash image of the Casino’s US sites in flames

DON’T PANIC! No credit card details lost after hackers crack world’s largest casino group
Las Vegas Sands email and website still down after hackers trash CEO Sheldon Adelson
http://www.theregister.co.uk/2014/02/13/dont_panic_no_credit_card_details_lost_after_hackers_crack_worlds_largest_casino_group/

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.

I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.

This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet

It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack

Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.

“Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”

“The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says.

The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred.

The report also illustrates the need for strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet. Although a network can only be considered truly air-gapped if it’s not connected to the internet and is not connected to other systems that are connected to the internet, many companies believe that a software firewall separating the business and production network is sufficient to stop hackers from making that leap. But experts warn that a software firewall can be misconfigured or contain security holes that allow hackers to break through or bypass them nonetheless.

NEARLY HALF of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.

The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.

But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.

The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.

“Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.

“We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”

Impersonating IT departments in spear-phishing attacks is becoming an increasingly popular tactic among hackers, particularly in cyber-espionage attacks.

IT staff themed phishing emails comprised 78 per cent of observed phishing schemes picked up by FireEye in 2014, compared to just 44 per cent in 2013.

The sixth annual FireEye Mandiant M-Trends report, published on Tuesday, reports that organisations are getting slightly speedier at picking up trespassers in their network. Breach detection times dropped from 229 days in 2013 to 205 days last year. The slight improvement still means that successful hacker attacks remain undetected for months.

In some cases breaches can go undetected for years.

Hackers are adopting more sophisticated and stealthy tactics.

More details can be found in the 2015 Mandiant M-Trends report
https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf

As you saw in the headlines and news, 2014 was a big year for email threats.
And from our findings – the proof is in the data.

By summarizing the TrustIndex data we gathered quarterly in 2014 that measures how well both individual companies and industries as a whole are protecting their customers from email cyberattacks, we saw that email security improved somewhat in 2014, but most companies still haven’t implemented technology that protects them from cybercrime.

As consumer and industrial IoT adoption rises, so does the risk for cyber-attacks. Here’s what happened in 2014, as a reminder and warning.

In every single month in 2014, the cyber world experienced an attack that would have made the top-three list in any previous year. The numbers were stunning all year long: 56 million hacked at Home Depot, 76 million at JP Morgan Chase. Target, K-Mart, UPS, and the year’s most colorful attack — Sony Pictures Entertainment — all got hit.

The Sony Pictures Entertainment hack grabbed so much cyber ink, nobody noticed that the company’s PlayStation network was attacked — yet again — in early December, creating a system-wide outage. This month-by-month list is mind-numbing. And we left off the small hacks that only affected a few hundred thousand users.

I recently heard about an interesting DDoS story in New Zealand involving the nude selfies of cover girl Kate Upton and Hunger Games star Jennifer Lawrence. The photos were stolen from Apple’s iCloud service. The story seemed like the perfect, illustrative fable about everything that is wrong with Internet security today. It had all the classic buzzwords: cloud security, malware, DDoS, Apple, 4chan, and lazy, lustful Internet users.

Kate Upton Photos Crash the InternetBut while parts of the story were true, others…not so much.

The first third of the story is more or less true; the personal data of the celebrities was indeed ex-filtrated from iCloud. Apple claims that it was due to the weak iCloud passwords used by the celebs themselves, but that explanation is just semantics. If you read an EULA carefully (many of them 25 pages or more), you will find that you personally are responsible for the security of your data in the cloud. That’s the state of cloud security today.

The middle part of the story is true as well: nearly every site hosting the celebrity photos was also hosting some kind of malware.

Ultimately, it turned out to be sheer coincidence that the attack happened in the days just after the iCloud breach. The media was so taken with the idea that Kate Upton nude photos had caused a DDoS attack that they just took the story and ran with it. It’s not difficult to understand why

CoinDesk is pleased to announce the latest quarterly State of Bitcoin report, featuring a 2014 Year in Review, an in-depth analysis of data and events from the fourth quarter of 2014 and a look ahead to what 2015 might bring.

Overall, 2014 could be characterized as a ‘Tale of Two Bitcoins’.

On the one hand, significant bitcoin venture investment continued and much progress was made in furthering adoption, particularly in bitcoin payment acceptance by big brand names such as Microsoft and Dell.

On the other hand, early on in 2014, the collapse of Mt Gox dealt a crippling blow to bitcoin’s extraordinary price momentum.

All-time bitcoin startup VC investment crosses $400 million